tribunal-kit 2.4.6 → 3.1.0

package/.agent/workflows/review.md

@@ -1,155 +1,116 @@
 ---
-description: Audit existing code for hallucinations. Runs Logic + Security reviewers on any code without generating anything new.
+description: Audit existing code for hallucinations. Runs Logic + Security reviewers on any code without generating anything new. The pure review mode — read, analyze, and report only.
 ---
 
-# /review — Code Audit (No Generation)
+# /review — Hallucination Audit (Read-Only)
 
 $ARGUMENTS
 
 ---
 
-This command audits code you already have. **Nothing is generated.** The reviewers read, analyze, and report — that's it.
+## When to Use /review
 
-Paste code directly after the command, or point to a file.
+|Use `/review` when...|Use something else when...|
+|:---|:---|
+|Auditing code you didn't write|AI-specific code review → `/review-ai`|
+|Checking existing code for hallucinations|Need Tribunal with generation → `/generate`|
+|Pre-merge code review|Full pre-deploy audit → `/audit`|
+|Validating AI-generated output|Security only → `/tribunal-backend`|
+|Reviewing code from a junior developer||
 
 ---
 
-## When to Use /review vs Other Commands
-
-| Use `/review` when... | Use something else when... |
-|---|---|
-| You want to audit code you already wrote | You want to generate new code → `/generate` |
-| You received AI-generated code from another tool | Code needs full pre-merge audit → `/tribunal-full` |
-| You suspect a security issue in one file | Full project security sweep → `/audit` |
-| You want a quick sanity check on a PR | Pre-merge review → `/tribunal-full` |
-
----
-
-## How to Use It
-
-**Via paste:**
+## The Review Contract
 
 ```
-/review
-
-[paste code here]
-```
-
-**Via file reference:**
-
-```
-/review src/services/auth.service.ts
-/review src/routes/user.ts for injection risks
-```
-
-**With a specific concern:**
-
-```
-/review src/db/queries.ts focus: SQL injection only
-/review the auth middleware focus: auth bypass and secrets
+/review is READ ONLY.
+No files are modified.
+No code is generated.
+Only findings and recommendations are produced.
 ```
 
 ---
 
-## What Always Runs
+## Active Reviewers
 
-```
-logic-reviewer      → Methods that don't exist, conditions that can't be true,
-                      undefined variables used before assignment,
-                      unreachable code, inverted boolean logic
+Logic + Security run on ALL code by default.
 
-security-auditor    → SQL injection, hardcoded credentials, auth bypass,
-                      unvalidated input, exposed stack traces,
-                      insecure defaults, OWASP Top 10
-```
-
-## What Also Runs (Based on Code Type)
+**Additional reviewers auto-activated by content:**
 
-| Code Contains | Additional Reviewer Activated |
-|---|---|
-| `SELECT`, `INSERT`, `UPDATE`, ORM queries | `sql-reviewer` |
-| React hooks, Vue components, JSX | `frontend-reviewer` |
-| TypeScript generics, `any`, type assertions | `type-safety-reviewer` |
-| `import`, `require`, third-party packages | `dependency-reviewer` |
-| `openai`, `anthropic`, `gemini`, LLM SDK calls | `ai-code-reviewer` |
-| Performance-critical loops or async paths | `performance-reviewer` |
+|Code Contains|Additional Reviewers|
+|:---|:---|
+|SQL, Prisma, database operations|`sql-reviewer`|
+|React, hooks, components|`frontend-reviewer`|
+|TypeScript types, generics|`type-safety-reviewer`|
+|npm imports, package.json|`dependency-reviewer`|
+|Tests, specs, describe/it blocks|`test-coverage-reviewer`|
+|LLM API calls (OpenAI, Anthropic)|`ai-code-reviewer`|
+|ARIA, disability, a11y|`accessibility-reviewer`|
 
 ---
 
-## Severity Levels
-
-| Symbol | Level | Meaning |
-|---|---|---|
-| `❌ CRITICAL` | Must Fix | Security vulnerability or data loss risk |
-| `❌ HIGH` | Must Fix | Logic error or likely production bug |
-| `⚠️ MEDIUM` | Should Fix | Non-critical but risky pattern |
-| `💬 LOW` | Advisory | Code smell or style concern |
-
----
-
-## Audit Report Format
+## Review Output Format
 
 ```
-━━━ Audit: [filename or snippet title] ━━━━━━━━━
-
-Active reviewers: logic · security · [others]
+━━━ Code Review — [filename or description] ━━━━━
 
-logic-reviewer:       ✅ No hallucinated APIs or impossible logic found
-security-auditor:     ❌ REJECTED
+Logic Review:   ✅ APPROVED | ⚠️ [N] warnings | ❌ [N] critical
+Security:       ✅ APPROVED | ⚠️ [N] warnings | ❌ [N] critical
 
-Findings:
-  ❌ CRITICAL — Line 8
-     Type: SQL injection
-     Code: `db.query(\`SELECT * WHERE id = ${id}\`)`
-     Fix:  db.query('SELECT * WHERE id = $1', [id])
+━━━ Findings (sorted by severity) ━━━━━━━━━━━━━━
 
-  ⚠️ MEDIUM — Line 22
-     Type: Unguarded optional access
-     Code: `user.profile.name`
-     Fix:  `user?.profile?.name ?? 'Unknown'`
+[CRITICAL] [File:Line] [description] → [specific fix]
+[HIGH]     [File:Line] [description] → [specific fix]
+[MEDIUM]   [File:Line] [description] → [note]
 
-  💬 LOW — Line 34
-     Type: Magic number
-     Code: `setTimeout(fn, 3000)`
-     Fix:  Extract to named constant: `const RETRY_DELAY_MS = 3000`
-
-━━━ Summary ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-1 CRITICAL issue blocking integration.
-1 MEDIUM issue — review before shipping.
-1 LOW advisory — consider addressing.
-
-Verdict: REJECTED — fix CRITICAL issues before merging.
+━━━ Verdict: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+✅ APPROVED — code is production-ready
+⚠️ WARNINGS — [N] items to address before release
+❌ CRITICAL — [N] blockers must be resolved
 ```
 
 ---
 
-## Hallucination Guard
+## What Each Reviewer Looks For
+
+### logic-reviewer
+- Methods called on wrong object types
+- Impossible states that will throw at runtime
+- Functions called before they're defined
+- Missing null checks on potentially-undefined values
 
-- Reviewers **read the actual code** — they don't assume what it does from function names
-- Every finding includes the **exact line and exact code** — no vague claims
-- Proposed fixes are **real, documented API calls** — not invented alternatives
-- Severity ratings are **evidence-based** — "CRITICAL" is never used for style concerns
+### security-auditor
+- SQL injection (string interpolation in queries)
+- XSS (user content in innerHTML or dangerouslySetInnerHTML)
+- JWT issues (no algorithm enforcement, weak secrets)
+- Auth order (business logic before auth check)
+- Hardcoded secrets
 
 ---
 
-## Cross-Workflow Navigation
+## Hallucination-Specific Checks
 
-| If review reveals... | Go to |
-|---|---|
-| CRITICAL security issues | `/audit` to check if the pattern exists elsewhere |
-| Code needs to be rewritten | `/generate` to regenerate with Tribunal protection |
-| More reviewers needed | `/tribunal-full` for all 11 reviewers |
-| Pattern found across many files | `/refactor` to fix the root abstraction |
+The review specifically catches:
+
+```
+□ Methods imported from packages that don't export them
+□ React hooks that don't exist (fabricated hook names)
+□ Prisma methods removed in current version (findOne, upsertMany)
+□ Next.js 15 dynamic APIs used without await (cookies, headers, params)
+□ React 19 deprecated API usage (useFormState instead of useActionState)
+□ Parameters passed to LLM APIs that don't exist (max_length, format, memory)
+□ Model names that don't exist (gpt-5, claude-4, gemini-ultra)
+```
 
 ---
 
-## Usage
+## Usage Examples
 
 ```
-/review the auth middleware
-/review this SQL query [paste]
-/review src/routes/user.ts for injection risks
-/review my React component for hooks violations
-/review src/services/payment.ts focus: error handling and data exposure
+/review src/lib/auth.ts
+/review the entire src/app/api/checkout/ directory
+/review the PaymentForm component
+/review this code: [paste code inline]
+/review src/lib/ai-chat.ts for AI API hallucinations
+/review the last generated code before we write it to disk
 ```

package/.agent/workflows/session.md

@@ -1,154 +1,94 @@
 ---
-description: Interactive session state tracking for multi-conversation context continuity.
+description: Interactive session state tracking for multi-conversation context continuity. Saves and restores agent context across separate sessions so work can be resumed without losing progress.
 ---
 
-# /session — Interactive Session State Tracker
+# /session — Session State Management
 
-Use this workflow to maintain context and track overarching goals across multiple single-chat sessions. It acts as a logbook that survives conversation resets.
+$ARGUMENTS
 
 ---
 
-## When to Use This
+## Commands
 
-- Starting a long multi-session task (spanning multiple conversations)
-- Resuming work after a break — load the last checkpoint instantly
-- Tracking parallel workstreams (tag different sessions)
-- Exporting a summary of work for documentation or handoff
+```
+/session save      → Save current session state to disk
+/session restore   → Restore most recent session
+/session status    → Show current session summary
+/session new       → Create a new session (archive current)
+/session list      → List all saved sessions
+```
 
 ---
 
-## Commands
+## Execution
 
 ```bash
-# ── Core commands ──────────────────────────────────────────────────
-
-# Save a checkpoint of the current session
-// turbo
-python .agent/scripts/session_manager.py save "working on auth middleware"
-
-# Load the current active session (note + tags)
-// turbo
-python .agent/scripts/session_manager.py load
-
-# Compact status overview: active session + last 3 checkpoints
-// turbo
+python .agent/scripts/session_manager.py save
+python .agent/scripts/session_manager.py restore
 python .agent/scripts/session_manager.py status
-
-# View the last 10 session checkpoints
-// turbo
-python .agent/scripts/session_manager.py show
-
-# ── Tagging and filtering ─────────────────────────────────────────
-
-# Add a label/tag to the current session
-python .agent/scripts/session_manager.py tag <label>
-python .agent/scripts/session_manager.py tag v2-feature
-
-# ── History and export ────────────────────────────────────────────
-
-# Paginated list of ALL sessions (most recent first)
+python .agent/scripts/session_manager.py new
 python .agent/scripts/session_manager.py list
-python .agent/scripts/session_manager.py list --all   # show entire history
-
-# Export all sessions to session_export.md (or stdout)
-python .agent/scripts/session_manager.py export
-python .agent/scripts/session_manager.py export --stdout
-
-# Clear the session data entirely to start fresh
-python .agent/scripts/session_manager.py clear
 ```
 
 ---
 
-## Command Reference
-
-| Command | Description |
-|---|---|
-| `save <note>` | Save a new session checkpoint with a note |
-| `load` | Display the current active session |
-| `status` | Compact 3-session status summary + active session |
-| `show` | Show the last 10 sessions |
-| `tag <label>` | Add a tag to the current session (e.g., `v2-feature`, `auth-sprint`) |
-| `list [--all]` | Paginated full session history |
-| `export [--stdout]` | Export all history to `session_export.md` |
-| `clear` | Delete the session state file entirely |
-
----
-
-## How It Works
-
-Session state is stored in `.agent_session.json` in the project root.
-
-**Start of a new conversation:** run `status` immediately to re-establish situational awareness:
+## What Gets Saved
 
 ```
-python .agent/scripts/session_manager.py status
+Session state includes:
+□ Current task.md content
+□ Summary of what was completed this session
+□ Open questions / blocked items
+□ Files modified in this session (from git status)
+□ Next planned actions
 ```
 
-**When reaching a natural waypoint** (completed a task, switching context): run `save` with a descriptive note so the next session starts with full context.
-
-**Tags** group related sessions for filtering and export. Use them for features, sprints, or bugfix tracks.
-
 ---
 
-## Workflow Patterns
+## Session File Format
 
-**Starting a session:**
-```
-User:  /session save "Finished implementing JWT strategy. Next: user endpoints."
-Agent: ✅ Session saved: Finished implementing JWT strategy...
-       Session: #5, tagged: auth-sprint
-```
+```markdown
+# Session: [timestamp]
 
-**Resuming after a break:**
-```
-User:  /session status
-Agent: ━━━ Session Status ━━━━━━━━━━━━━━━━━━━━━━━━
-         Total sessions: 5
-         Active:         #5 — Finished implementing JWT strategy...
-
-         Last 3 sessions:
-           #5  2026-03-03T23:15  [auth-sprint]  Finished JWT strategy...
-           #4  2026-03-03T21:00  [auth-sprint]  Completed DB schema for auth...
-           #3  2026-03-03T18:30  [auth-sprint]  Set up project structure...
-```
+## Completed This Session
+- [task item 1 — completed]
+- [task item 2 — completed]
 
-**Exporting for handoff or documentation:**
-```
-User:  /session export
-Agent: ✅ Exported 5 sessions to session_export.md
-```
+## In Progress
+- [task item 3 — started but not finished]
 
----
+## Blocked
+- [item] — blocked by [reason]
 
-## Best Practices
+## Files Modified
+- src/lib/auth.ts
+- src/app/api/users/route.ts
 
-| Practice | Why |
-|---|---|
-| Save at every natural stopping point | Next session starts with accurate context |
-| Use descriptive notes with "Next:" | Gives future sessions a clear direction |
-| Tag sessions by feature or sprint | Makes export and filtering useful |
-| Run `status` at every session start | Reestablishes context without reading the full history |
+## Next Session: Start With
+1. [first thing to do in the next session]
+2. [second thing]
+
+## Open Questions
+- [question 1]
+```
 
 ---
 
-## Cross-Workflow Navigation
+## When to Use /session
 
-| Use /session when... | Then go to... |
-|---|---|
-| Starting a multi-session task | `/plan` to write the formal plan for the work |
-| Resuming work on a feature | Load session, then continue with relevant workflow |
-| Work is complete, documenting it | `/changelog` to record what was built |
+```
+End of work session:   /session save → so next session can restore context
+Next work session:     /session restore → avoid re-explaining context
+Complex multi-day task: /session save between each work block
+Context handoff:       /session save → share session file with collaborator
+```
 
 ---
 
-## Usage
+## Usage Examples
 
 ```
-/session save "Finished JWT middleware. Next: protect API routes."
-/session status
-/session tag auth-sprint
-/session list
-/session export
-/session load
+/session save   (at end of coding session)
+/session restore (at start of next coding session)
+/session status (check what was accomplished)
 ```

package/.agent/workflows/status.md

@@ -1,125 +1,79 @@
 ---
-description: Display agent and project status. Progress tracking and status board.
+description: Display agent and project status. Shows task.md progress, last audit results, CI status, and recently modified files. Read-only — no changes made.
 ---
 
-# /status — Session View
+# /status — Project Health Dashboard
 
 $ARGUMENTS
 
 ---
 
-This command shows the current state of the active Tribunal session — what has run, what passed, what was rejected, and what is waiting at the Human Gate.
-
----
-
-## When to Use This
-
-- After starting a multi-agent task to see which reviewers finished
-- When a reviewer rejected code and you want details on the finding
-- To check whether anything is currently at the Human Gate awaiting your decision
-- To get a snapshot of the session before resuming after a break
-
----
-
-## Sub-commands
+## What /status Shows
 
 ```
-/status              → Full session view (default)
-/status issues       → Show only REJECTED and WARNING verdicts
-/status gate         → Show what's currently at the Human Gate
-/status agents       → Show only the agent activity table
-/status history      → Show the last 5 completed tribunal sessions
+1. Active task progress (from task.md)
+2. Last audit results summary
+3. Recent git activity (last 5 commits)
+4. File modification timestamps (hot files)
+5. Current server status
 ```
 
 ---
 
-## Session Dashboard
-
-```
-━━━ Tribunal Session ━━━━━━━━━━━━━━━━━━━━
-
-Mode:     [Generate | Review | Plan | Audit | Swarm]
-Request:  [original prompt or task name]
-Started:  [timestamp]
-
-━━━ Agent Activity ━━━━━━━━━━━━━━━━━━━━━
+## Execution
 
-  logic-reviewer          ✅ APPROVED
-  security-auditor        ❌ REJECTED — 1 CRITICAL issue
-  dependency-reviewer     ✅ APPROVED
-  type-safety-reviewer    ⚠️  WARNING — 1 MEDIUM issue
-  performance-reviewer    🔄 Running...
-  sql-reviewer            ⏸️  Queued
+```bash
+# 1. Task progress
+cat .gemini/antigravity/brain/*/task.md 2>/dev/null || echo "No active task"
 
-━━━ Blocked Issues ━━━━━━━━━━━━━━━━━━━━━
+# 2. Recent git activity
+git log --oneline -5
 
-❌ security-auditor [CRITICAL] — src/routes/user.ts line 34
-   Type: SQL injection via string interpolation
-   Code: db.query(`WHERE id = ${id}`)
-   Fix:  db.query('WHERE id = $1', [id])
+# 3. Recently modified source files (last 24 hours)
+find src/ -name "*.ts" -o -name "*.tsx" -newer package.json 2>/dev/null | head -10
 
-⚠️ type-safety-reviewer [MEDIUM] — src/auth/jwt.ts line 12
-   Type: Implicit any in parameter
-   Code: function decodeToken(payload) { ... }
-   Fix:  function decodeToken(payload: JWTPayload) { ... }
+# 4. Server status (non-blocking)
+python .agent/scripts/auto_preview.py status 2>/dev/null
 
-━━━ Human Gate ━━━━━━━━━━━━━━━━━━━━━━━━
-
-  Status: ⏸️  Awaiting your decision before any file is written.
-
-  Blocked on: security-auditor rejection (CRITICAL)
-  Action required: Fix the issue and resubmit, or discard.
-
-  Options:
-    ✅ Approve  — write the approved changes to disk
-    🔄 Revise   — send back to the Maker with feedback
-    ❌ Discard  — drop this generation entirely
+# 5. Quick type check
+npx tsc --noEmit 2>&1 | tail -5
 ```
 
 ---
 
-## Status Symbols
-
-| Symbol | Meaning |
-|---|---|
-| `✅ APPROVED` | Agent complete — no blocking issues |
-| `🔄 Running` | Agent currently executing |
-| `⏸️ Queued` | Waiting for a prior stage to complete |
-| `❌ REJECTED` | Blocking finding — code cannot proceed |
-| `⚠️ WARNING` | Non-blocking finding — review before approving |
-| `N/A` | Reviewer ran but this domain not present in code |
-
----
+## Status Report Format
 
-## Retry Counter
+```
+━━━ Project Status ━━━━━━━━━━━━━━━━━━━━━━━
 
-The status view also shows how many revision attempts have been made:
+Project:    [name from package.json]
+Branch:     [git branch]
+Last commit: [hash] — [message] — [time ago]
 
-```
-Maker revision: 2 of 3 (1 remaining before escalation)
-```
+━━━ Active Task ━━━━━━━━━━━━━━━━━━━━━━━━━
+[task.md content if exists, else: No active task]
 
-After 3 revisions without resolving a CRITICAL rejection, the session halts and reports to the user.
+━━━ Recent Changes (24h) ━━━━━━━━━━━━━━━━
+  [timestamp] src/app/api/auth/login/route.ts
+  [timestamp] src/lib/auth.ts
+  [timestamp] prisma/schema.prisma
 
----
+━━━ TypeScript ━━━━━━━━━━━━━━━━━━━━━━━━━
+✅ Zero errors | ❌ N errors found
 
-## Cross-Workflow Navigation
+━━━ Dev Server ━━━━━━━━━━━━━━━━━━━━━━━━━
+✅ Running at http://localhost:3000 | ⭕ Not running
 
-| If /status shows... | Go to |
-|---|---|
-| CRITICAL security rejection | `/review [file]` for focused audit |
-| Multiple rejections across domains | `/tribunal-full` if it hasn't run yet |
-| Session stalled at Human Gate | Review findings and decide: approve/revise/discard |
-| Everything approved, ready to write | Confirm the Human Gate to write to disk |
+━━━ Next Steps ━━━━━━━━━━━━━━━━━━━━━━━━━
+[any currently incomplete task items from task.md]
+```
 
 ---
 
 ## Usage
 
 ```
-/status
-/status issues
-/status gate
-/status agents
-/status history
+/status              → Full project status
+/status task         → Active task progress only
+/status recent       → Recently modified files only
 ```